Skip to content

Better Together: How SMPs Work with IDaaS and IGA Tools

Natalie Robb

April 26, 2021

6 minute read

BetterTogether_featureImage

How does an SaaS management platform (SMP) work together with identity access management (IAM) tools?

Covering both identity as a service (IDaaS) and identity governance and administration (IGA), the IAM category plays very well with SMPs. To help you understand this trio of tools, we explore how SMPs work with IDaaS and IGA tools.

Specifically, we’ll explain:

  • The identity management process
  • Tools for identity and SaaS management in SaaS operations
  • How SMPs work with IDaaS and IGA tools

But first, let’s move onto identity management.

The identity management process

Identity management, sometimes called ID management or IDM, is an IT process to make sure users have proper access to an enterprise’s technology resources.

It works by associating user rights and restrictions with verified user identities. Identity management includes the range of functions like:

  • Defining and managing the roles and access privileges
  • Identifying a user
  • Authenticating a user
  • Authorizing a user access

The aim is to give users the right access to networks, endpoint devices, data, and on-premises and SaaS applications.

Users include customers, partners and employees. Meanwhile, devices include smartphones, tablets, computers, and server and network hardware.

Essential to both SaaS operations and enterprise security, IT teams can use numerous tools to perform different parts of this crucial identity management process.

Tools for identity and SaaS management in SaaS operations

The core goal of identity management systems centers around a single digital identity per individual or device. Once that digital identity has been established, it must be maintained, modified, and monitored throughout each user’s or device’s access lifecycle.

But before we can talk about how SMPs work with IDaaS and IGA tools, we need to clear up some confusion.

Navigating the alphabet soup of identity management tools

The software category, not surprisingly, is called identity access management (IAM). It’s loaded with different platforms with differing functions and features, sporting the usual analyst-induced acronym confusion. In a nutshell, the image below shows the tools that make up identity management.

To truly grasp how SMPs work with IDaaS and IGA tools, let’s describe what these tools do.

Identity access management (IAM or IdM) platforms

This is a broad group of identity management solutions for managing digital user identities and granting access to various IT resources. It includes the core identity, which is also known as directory services.

The identity management category includes subcategories of tools used to access SaaS applications. Here are the main platforms and their definitions:

  • Single sign-on (SSO) is a service that centralizes session and user authentication where a single set of login credentials can access many applications.
  • An identity provider is a service that stores and verifies user identity. These directory services often work with single sign-on (SSO) providers to authenticate users.
  • Identity as a service (IDaaS) is an authentication infrastructure built, hosted, and managed by a third-party service provider. These are cloud-based authentication or identity management services that use authentication, SSO, and access controls to provide secure access to software and SaaS applications.
  • Multi-factor or two-factor authentication is authentication meant to raise barriers to hackers by using more than one authentication factor. For example, it uses a password and approves access by adding yet another authentication factor like an image, fingerprint, or second password. And just to clarify, every 2FA is an MFA, but not the other way around.
  • IGA/IGM is an automation platform for provisioning, deprovisioning, and managing user accounts, roles, and access rights for individual users across both cloud and on-prem infrastructure. The primary aim is for compliance and governance, as these platforms provide visibility into managing passwords, access certifications, and approvals.

IGAs provide identity-related risk insight, improve the ability to meet audit requirements, and improve security. Mostly used by large organizations or highly regulated ones, this subcategory is an established technology that is deployed on-prem or as a service in the cloud.

Now that you know a bit more about the world of identity management, let’s move onto discussing SMPs and how they work with IDaaS and IGA tools.

Understanding SaaS management platforms

An SMP is an IT automation platform that enterprises are quickly adopting. It provides a central place to automatically discover SaaS apps in use throughout the organization, as well as manage and secure users, apps, data, files, folders, and user interactions within SaaS apps.

SMPs are used for many reasons, and among them are:

  • Spend reporting
  • Spend optimization
  • Least privilege access enforcement
  • SaaS app management
  • File security and compliance
  • File sharing and data exposure alerts
  • User lifecycle management (on/offboarding and mid-lifecycle changes)

As such, to accomplish these tasks, SMPs integrate with several other systems. These could be a cloud access security broker (CASB), IT service management tool (ITSM), or a human resources information system (HRIS). They’ll also integrate with identity providers like OneLogin as well as endpoint management tools like Jamf. From there, they obviously integrate with a range of cloud productivity apps, like Google Workspace and Microsoft 365, as well as point apps like Asana, Jira, and countless others.

To discover and manage SaaS apps, an SMP must constantly ingest large quantities of data, normalize it, and graph all data objects across the SaaS environment. To know user activities within apps, it does it all in real time.

This process is the foundation of operational context critical to effectively managing and securing applications. It’s also the foundation to both basic and advanced automations required for efficient SaaSOps.

Now that you know more about the tools used to operate your SaaS environment, at first glance, it might appear that they’re all very similar.

That conclusion, like much in IT, really depends on your current SaaS app landscape, goals, needs, and implementation.

If your organization’s primary goal is secure identity management, you’ll likely deploy an IDaaS. Then if your organization has high compliance requirements, you add an IGA/IGM. If you’re aiming to manage and secure what happens within a SaaS app, you use an SMP. Sometimes, you’ll use all three.

How SMPs work with IDaaS and IGA tools

There is some overlap in basic functionality between and among IDaaS, IGA, and SMP tools. For example, although not as well or as elegantly as an SMP, some IGA and IDaaS tools can do some basic app configurations for a limited set of SaaS apps.

However, at this point in time, many organizations—especially large ones—deploy all three, taking advantage of the strengths of each one.

As a result, functionality between and among an IDaaS, IGA, and SMP is largely complementary.

Used together, these tools automate user lifecycle management

This illustration shows how teams generally deploy the three tools and how they work together to manage a user’s lifecycle.

bettercloud_ulm

In a nutshell, organizations use:

  1. IGA to automate on-prem and SaaS app approvals
  2. IDaaS to automate app provisioning and deprovisioning processes, as well as access control to SaaS applications
  3. SMP to then automate app configurations. Because each SaaS app has its own way of doing things, SMPs perform a deeper and broader range of actions within each SaaS app.

Let’s now get into more detail on how SMPs work with IDaaS and IGA tools.

SMPs support both basic and advanced workflow actions

Once a user is provisioned, the SMP monitors the IDaaS for changes to user identities after the IDaaS initially provisions users.

When IT updates a user’s IDaaS profile, it then triggers an SMP to reassign the user according to the granular permissions set within it. This includes important tasks like revoking existing Google Workspace groups, Slack channels, or Salesforce permissions and transferring them accordingly.

It works the same way for offboarding.

When IT or HR suspends or deprovisions a user in an IDaaS, it triggers an SMP to perform offboarding actions. Keep in mind the complexities of offboarding due to the diversity of the SaaS environment. So while onboarding can be accomplished in a handful of workflows, complete and secure offboarding can take dozens, and in some cases, hundreds of different workflows—each with its own actions.

This includes actions like transferring files—wherever they may be within a SaaS app throughout your SaaS environment—to a manager. It also includes actions like revoking app licenses, starting the compliance-related waiting period for file deletion, and then returning licenses to inventories.

For large enterprises to nimbly scale ULM, SMPs allow enterprises to create API-driven workflows for the hundreds of SaaS apps that run the modern, digitally minded enterprise. Because enterprises can take advantage of large, growing inventories of workflow templates and native pre-built integrations, they can speed new workflow deployments and easily refine them as needs change.

In addition, enterprises can automate ULM for less common apps by using a customizable API.

And SMPs bring other meaningful advantages to ULM. To efficiently develop new workflows, the SMP front-end is no-code. This makes it fast and easy for enterprises to deploy, use, and change ULM workflows.

Then on the back end, SMPs constantly ingest large quantities of data to provide operational context. This context is critical to effectively managing and securing applications across the user lifecycle and SaaS environment.

SMPs bring IT operational benefits far beyond user lifecycle management

Enforcement of least privilege access, policies across SaaS apps, and data loss protection are just a few of the benefits. Neither IGAs nor IDaaS tools offer these benefits now.

In closing, since SMPs enable a wide range of granular actions and triggers required to manage within SaaS apps, the SMP’s place in SaaS operations is here to stay.

Used alongside each other, SMPs work together with IDaaS and IGA tools—improving your SaaSOps one automation at a time.

Want to learn more about how an SMP can help you automate your IT processes (and more)? Request a demo.

Sign up for our newsletter